Computer error, windows/system32/services.exe unexpectantly terminates

Unknown

I've had this problem for a couple of days. When my computer loads in normal mode I can connect to the internet through my modem but internet explorer does not load nor does the internet work.
After 10 minutes services.exe unexpectanlty terminates(D:/WINDOWS/system32/services.exe) and the administrator automatically shuts down the computer in 60 seconds.
I never have enough time to scan my computer during normal mode but I have been able to do it in safe mode but no changes have happened.
Since the internet does not load I have cannot get any updates for the anti-spyware software.
The computer runs on windows xp pro with service pack 2.
I would appreciate any help anyone can give me as my sons and daughter really need to use the computer. Thanks.
Here is my Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:15:14 PM, on 6/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\WgaTray.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: msdn_lib.msdn_hlp - {EC84A858-8398-48D6-8E6B-DB0C4CD7B731} - D:\WINDOWS\system32\msdn_lib.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LClock] D:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [MCUpdateExe] d:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [startdrv] D:\WINDOWS\Temp\startdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QMusic2] "D:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [Glass2k] D:\Program Files\Glass2k\Glass2k.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [SpybotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Firewall auto setup] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [tbon] D:\Program Files\TBONBin\tbon.exe /r
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Adobe Reader Synchronizer.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'd:\windows\system32\pfz.dll' missing
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.errorsafe.com/files/installers/cab/ErrorSafeNewReleaseInstall.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: rpcc - D:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: MSN Messenger - {280A7B65-8F00-438F-3E5A-1F039433FE60} - D:\WINDOWS\system32\dssdll32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - d:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - d:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

Trogan

Hi sturgis,

I have some bad news!

The computer is infected by several bad infections, that have Backdoor Functionality. This can give intruders complete control of your computer, logging key strokes, stealing information, etc.

You are strongly advised to do the following immediately!:

• Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.
• Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
• From a clean computer, change *all* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Because of its backdoor functionality, your PC is very likely compromised and there is no way to be sure it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you make a more informed decision, please read the following articles:

• Danger: Remote Access Trojans.
• When should I re-format? How should I reinstall?
• How Do I Handle Possible Identify Theft, Internet Fraud and Credit Card Fraud?

Should you have any questions, please feel free to ask

Please let me know your decision and we'll get started with clean up if that's what you choose.

sturgis

Ok well I got all passwords changed by using a friends computer. I only use ebay and I haven't bought anything from there in atleast a year and I haven't logged into my account for over 6 months, plus I had been using CCleaner for awhile before I experienced problems, so I think I'm protected there but nonetheless I changes my passwords there and informed my bank.

Since it is recommended I reformat my disk, it probably is the best thing to do.
But I do not plan to buy anything using my computer until it is reformatted but I have never done it before and don't want to mess anything up.

Right now though, I think I would like to see what you can do with the computer and just get it to work so I can surf the net and let my kids do homework. I would not make any new accounts or buy any items but just being able to use the computer until I can format it would be the best.

For that reason I would be very glad if you would do what you can to help clean my computer.

Thank you.

Trogan

Hi sturgis,

I can certainly help you clean the computer, and I'm glad you've taken the correct steps already.

Please do the following...

1. Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt in your next reply.

2. I'd like a file scanned

• Go to VirusTotal
• Copy and paste the following file path into the Search Box at the top of the page:
  • d:\windows\system32\pfz.dll
• Click on the Send button
• Save a copy of the results and post them in your next reply.

3. I need to see another log from HijackThis.

• Run Hijackthis.
• Click on Open the Misc Tools section.
• Next click on Open uninstall manager.
• Press the Save list button.
• Save the file to your desktop, with the default name of uninstall_list
• Copy & Paste the entire contents of that file in your in your next post.

4. Please post the following...

• SDFix report
• VirusTotal scan result
• Uninstall list
• New HijackThis log

sturgis

Ok Trogan, I tried what you told me to do but not all worked out.

I extracted the files for SDFix and went into safe mode and started the runthis.bat and when prompted pressed Y and it all worked. Then it said "Please be patient as this may take up to ten minutes".
Well I was patient and I left the it for over 10 minutes. In fact I left it for over 4 hours and no change came. It still displayed "Please be patient as this may take up to 10 minutes", so I shut off the computer.

For the Virus Total scan, I was unable to do that since you told me to disconnect my PC from the internet. PLus I would never have been able to do it because even before I disconnected it I could not access internet explorer.

However, I was able to atleast get a copy of the uninstall list but I did it in safe mode because normal mode is extremely slow.

Hijackthis Uninstall list:

Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Reader 8
Adobe Shockwave Player
Alcatel SpeedTouch USB Software
Apple Software Update
Ares 1.9.0
Ares Tube 3.0
Avance AC'97 Audio
AVG Anti-Spyware 7.5
CCleaner (remove only)
COMODO Firewall Pro
HijackThis 1.99.1
Huffyuv AVI lossless video codec (Remove Only)
ImageMixer VCD2
Intel Application Accelerator
Intel(R) Extreme Graphics Driver Software
iTunes
J2SE Runtime Environment 5.0 Update 3
Macromedia Flash Player
McAfee SecurityCenter
McAfee VirusScan
Microsoft .NET Framework 2.0
Microsoft Internet Explorer Administration Kit 5
Microsoft Office XP Professional with FrontPage
Microsoft Office XP Resource Kit
Microsoft SQL Server Desktop Engine
Morpheus Toolbar
MSN
MSN Music Assistant
MSN Toolbar
QuickTime
Search Enhancer
Sony USB Driver
Spybot - Search & Destroy 1.4
Sympatico NetAssistant
VideoLAN VLC media player 0.8.1
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10

Trogan

Hi sturgis,

Two things:

1. Can you post a new HijackThhis log.

2. Check if Report.txt exists in C:\SDFix

sturgis

Ok Trogan this is the report.txt that was found in the SDFix folder.

Report.txt

SDFix: Version 1.88

Run by Administrator on Wed 06/27/2007 at 10:38 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: D:\SDFix\SDFix

Safe Mode:
Checking Services:

That's all that was there.

Here is the new Hijackthis.log:

Logfile of HijackThis v1.99.1
Scan saved at 3:10:44 PM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
D:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: msdn_lib.msdn_hlp - {EC84A858-8398-48D6-8E6B-DB0C4CD7B731} - D:\WINDOWS\system32\msdn_lib.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LClock] D:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [startdrv] D:\WINDOWS\Temp\startdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'd:\windows\system32\pfz.dll' missing
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.errorsafe.com/files/installers/cab/ErrorSafeNewReleaseInstall.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: MSN Messenger - {280A7B65-8F00-438F-3E5A-1F039433FE60} - D:\WINDOWS\system32\dssdll32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - d:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - d:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

Trogan

Hi sturgis,

The infections that were in your First HijackThis log, are no longer present.

Could I ask you to try SDFix once more in Safe Mode, and if that doesn't work we can try other Tools.

sturgis

Ok Trogan sorry for the wait.

I tried the SDFix in safe mode again and it said "another sub directory folder already exists" and then it said "Please be patient as this may take up to 10 minutes". It stayed like this for an hour or so and I shut it off.

Trogan

Hi,

Please do the following...

1. I'd like a file scanned

• Go to VirusTotal
• Copy and paste the following file path into the Search Box at the top of the page:
  • d:\windows\system32\pfz.dll
• Click on the Send button
• Save a copy of the results and post them in your next reply.

2. Download this file to your Desktop - combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

3. Please post the following...

Scan results
ComboFix log
New HijackThis log

sturgis

Hey Trogan,

OKay I couldn't do the VirusTotal file scan because my internet don't work. So I tried to find the file and put it into my usb to scan using a different computer, but I couldn't find the file; it didn't exist.

The combofix program did the same thing as the SDFix program did. It never finished scanning. It just said "PLease wait 10 minutes, for more infected machines this time could easily double". I left it on for a very long time,

However I did find this report which might be associated with this:

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-21 19:28:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services ...
HKLM\SYSTEM\CurrentControlSet\Services\.NETFrameworkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\aawserviceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\Abiosdskceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\abp480n5ceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\ACPI80n5ceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\ACPIECn5ceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\adpu160mceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\aecu160mceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\AFDu160mceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\Aha154xmceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\aic78u2mceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\aic78xxmceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\alcan5lnceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\alcaudslceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\ALCXWDMlceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\Alerterlceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\ALGrterlceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\AliIderlceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\amsintrlceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\AppMgmtlceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\ascMgmtlceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\asc3350pceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\asc3550pceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\ASP.NETpceorkvider for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\ASP.NET_2.0.50727r for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\Aspi32T_2.0.50727r for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\aspnet_state50727r for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\AsyncMactate50727r for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\atapiMactate50727r for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\Atdiskactate50727r for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\Atmarpcctate50727r for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\AudioSrvtate50727r for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\audstubvtate50727r for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\BattCubvtate50727r for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\BeepCubvtate50727r for SqlServer
HKLM\SYSTEM\CurrentControlSet\Services\BITSCubvtate50727r for SqlServer

The new Hijackthis log is:

Logfile of HijackThis v1.99.1
Scan saved at 11:50, on 2007-07-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\VundoFix.exe
D:\WINDOWS\catchme.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\catchme.exe
D:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: msdn_lib.msdn_hlp - {EC84A858-8398-48D6-8E6B-DB0C4CD7B731} - D:\WINDOWS\system32\msdn_lib.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LClock] D:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [startdrv] D:\WINDOWS\Temp\startdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'd:\windows\system32\pfz.dll' missing
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.errorsafe.com/files/installers/cab/ErrorSafeNewReleaseInstall.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: MSN Messenger - {280A7B65-8F00-438F-3E5A-1F039433FE60} - D:\WINDOWS\system32\dssdll32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - d:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - d:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

Trogan

Hi sturgis,

I was hoping those scans would do the work for us, but something is preventing them from scanning so we'll have to do some manual cleaning.

Please do the following...

1. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6u2.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement."
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
  • J2SE Runtime Environment 5.0 Update 3
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

2. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O4 - HKLM\..\Run: [startdrv] D:\WINDOWS\Temp\startdrv.exe

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

3. Run HijackThis and click on Open the Misc Tools section.
Click on Delete a file on reboot...
Copy and paste the following into the "File name:" text box and then click Open:

D:\WINDOWS\Temp\startdrv.exe

When you are asked "Do you want to restart your computer now?", click OK.

Your PC MUST reboot to delete the file!

4. Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

5. Please post a new HijackThis log, along with the SmitfraudFix report.

sturgis

OKay Trogan, I did what you asked.

First of all, I could not uninstall J2SE Runtime Environment 5.0 Update 3 because a message said "Windows Installer could not be accessed. This can occur if you are using safe mode or the installer is not properly installed."

So I got out of safe mode and tried it in normal mode, but I got the same message. I also could install Java Runtime Environment (JRE) 6u2 because of the same message.

Secondly, I did complete the Hijackthis delete the file step.

Thirdly, the Smitfraudfix had the same sort of problem as the combofix ans SDFix programs but I think I got it to work and found a report for it.

Here is the rapport.txt:

SmitFraudFix v2.202
Scan done at 14:28:18.07, 2007-07-14
Run from D:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}"="XenaDot Software"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

This here is what it said when the SmitfraudFix didn't work properly:

SmitFraudFix v2.202

Scanning Process...
D:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix\Proces
sList.vbs(18, 1) Microsoft VBScript runtime error: ActiveX component can't creat
e object

Scanning hosts...
Scanning D:\...
Scanning D:\WINDOWS\...
Scanning D:\WINDOWS\system...
Scanning D:\WINDOWS\Web...
Scanning D:\WINDOWS\system32...
Scanning D:\Documents and Settings\Administrator...
Scanning D:\Documents and Settings\Administrator\Application Data...
Scanning Start Menu...
Scanning D:\DOCUME~1\ADMINI~1\FAVORI~1...
Scanning Desktop...
Scanning D:\Program Files...
Scanning corrupted keys
Scanning Desktop Components
Scanning Sharedtaskscheduler
Scanning AppInit_DLLs
Scanning Winlogon:System

Here is the new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 17:57, on 2007-07-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\WgaTray.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: msdn_lib.msdn_hlp - {EC84A858-8398-48D6-8E6B-DB0C4CD7B731} - D:\WINDOWS\system32\msdn_lib.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LClock] D:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'd:\windows\system32\pfz.dll' missing
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.errorsafe.com/files/installers/cab/ErrorSafeNewReleaseInstall.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: MSN Messenger - {280A7B65-8F00-438F-3E5A-1F039433FE60} - D:\WINDOWS\system32\dssdll32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - d:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - d:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

Trogan

Hi Sturgis,

I would like you to Uninstall AVG Anti-Spyware as we will download and install a new version.
_______________

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

• Install AVG Anti-Spyware by double clicking the installer.
• Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
• On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Click on Change state next to Automatic updates. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
• Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

• Quit Internet Explorer and quit any instances of Windows Explorer.
• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act?
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    • All checkboxes should be ticked.
  • Under Reports:
    • Select Do not automatically generate reports
      
  • Under What to scan?
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
• When done, click the Save Scan Report button. (4)
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

Please post:

1. c:\rapport.txt
2. AVG Anti-Spyware log
3. A new HijackThis log

You may need several replies to post the requested logs, otherwise they might get cut off.

sturgis

Ok Trogan, I did everything you told me to and here are the logs:

For the smitfraudfix cleaning program this is how far it got and what it said:

SmitFraudFix v2.202

Killing Process...
hosts...
Generic Renos Fix...
Deleting Infected Files...
Scanning DNS...
Deleting Temp Files...
D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF47D2.tmp
Access is Denied.
D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF4EE6.tmp
Access is Denied.

sturgis

Here is the AVG Anti-Spyware log:

---

AVG Anti-Spyware - Scan Report

---

+ Created at: 17:43 2007-07-18
+ Scan result:

D:\WINDOWS\system32\drivers\ip6fw.sys -> Downloader.Agent.acl : Cleaned with backup (quarantined).
C:\winwgfb.exe -> Downloader.Agent.axs : Cleaned with backup (quarantined).
D:\WINDOWS\system32\uvnx.exe -> Downloader.Agent.axs : Cleaned with backup (quarantined).
D:\WINDOWS\system32\cfgcnt.dll -> Downloader.Agent.bga : Cleaned with backup (quarantined).
D:\WINDOWS\system32\set64.dll -> Downloader.Agent.bga : Cleaned with backup (quarantined).
D:\WINDOWS\system32\oleauth32.dll -> Downloader.Agent.bnm : Cleaned with backup (quarantined).
D:\WINDOWS\system32\drivers\dsniff.sys -> Downloader.Agent.boq : Cleaned with backup (quarantined).
D:\WINDOWS\system32\dssdll32.dll -> Downloader.Agent.boq : Cleaned with backup (quarantined).
C:\1B4.tmp -> Downloader.Agent.brk : Cleaned with backup (quarantined).
D:\WINDOWS\system32\username.exe -> Downloader.Agent.gd : Cleaned with backup (quarantined).
C:\1BD.tmp -> Downloader.CWS.am : Cleaned with backup (quarantined).
D:\WINDOWS\ServicePackFiles\services.exe -> Downloader.CWS.am : Cleaned with backup (quarantined).
D:\WINDOWS\ServicePackFiles\xx -> Downloader.CWS.am : Cleaned with backup (quarantined).
D:\WINDOWS\system32\wudupdate.exe -> Downloader.IstBar : Cleaned with backup (quarantined).
D:\WINDOWS\system32\msdn_lib.dll -> Downloader.VB.apq : Cleaned with backup (quarantined).
D:\WINDOWS\system32\wmvds32.dll -> Downloader.VB.asx : Cleaned with backup (quarantined).
C:\syslwcy.exe -> Downloader.VB.att : Cleaned with backup (quarantined).
D:\WINDOWS\system32\tmrsrv32.exe -> Downloader.VB.avl : Cleaned with backup (quarantined).
D:\WINDOWS\system32\rem.dll -> Logger.Banker.cnq : Cleaned with backup (quarantined).
D:\WINDOWS\system32\msorcl32.exe -> Not-A-Virus.Hoax.Win32.Renos.fn : Cleaned with backup (quarantined).
C:\1BA.tmp -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd1005.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd1034.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd1041.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd1080.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd1184.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd1500.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd1583.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd1614.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd1721.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd1744.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd1806.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd1917.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd2018.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd2084.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd2099.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd2211.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd2326.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd2344.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd2390.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd2468.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd2666.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd2705.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd2763.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd2825.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\cd2833.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\hyefqcm.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
D:\WINDOWS\system32\koos.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
D:\WINDOWS\system32\main.sys -> Rootkit.Agent.el : Cleaned with backup (quarantined).
D:\WINDOWS\system32\drivers\kcp.sys -> Trojan.Agent.lf : Cleaned with backup (quarantined).
D:\WINDOWS\system32\stickrep.dll_tobedeleted -> Trojan.Agent.qf : Cleaned with backup (quarantined).
D:\WINDOWS\system32\ws2_32.dll:fork2 -> Trojan.Pakes : Cleaned with backup (quarantined).
D:\WINDOWS\system32\wsys.dll -> Trojan.Pakes : Cleaned with backup (quarantined).
[240] D:\WINDOWS\system32\ole2.dll -> Trojan.Pakes : Cleaned with backup (quarantined).
D:\WINDOWS\sysrlb32.exe -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024 -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld13E5.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld1719.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld1A80.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld1F18.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld1FB4.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld203B.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld2110.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld215.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld240A.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld289C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld28BE.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld297E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld29C6.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld2BF.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld328.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld3663.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld36D4.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld382C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld38A2.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld3AC5.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld3C46.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld3FE0.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld478B.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld49B2.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld49F8.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld5578.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld5F4C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld6011.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld60D2.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld653E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld6BCF.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld6EFD.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld7110.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld72D1.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld76F8.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld7770.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld77AF.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld7A18.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld7D53.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld7F1D.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld80CC.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld812E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld8296.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld82B5.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld862B.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld8892.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld8B52.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld8B8E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld8E69.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld9165.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld92A2.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld9322.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld93ED.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld9B2.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld9BA6.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld9CAE.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld9E17.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld9E65.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld9F15.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ld9F54.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldA400.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldA432.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldA4CF.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldA6B4.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldA931.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldA9A3.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldAB0A.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldAC11.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldAEE3.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldB058.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldB068.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldB166.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldB355.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldB364.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldB5B7.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldB5D8.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldB604.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldB628.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldB6BD.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldB917.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldB9EC.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldB9F1.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldBF8A.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldC0A6.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldC1CC.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldC1CF.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldC2E5.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldC4BF.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldC621.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldC77A.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldC7D8.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldC853.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldC854.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldCA28.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldCAE4.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldCB39.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldCC2C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldCCF7.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldCE6E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldCF4A.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldCF78.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldD13F.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldD1C3.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldD335.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldD526.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldD8F0.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldDA47.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldDB11.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldDC89.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldDE2E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldDFAD.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldE099.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldE263.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldE2C1.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldE358.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldE3DA.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldE3EA.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldE409.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldE41C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldE429.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldE4D4.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldE6F7.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldE709.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldE850.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldEDB.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldF0BB.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldF181.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldF1F7.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldF322.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldF4BF.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldF63B.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldFA34.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\1024\ldFF83.tmp -> Trojan.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\windev-2f92-731b.sys -> Trojan.Tibs.ab : Cleaned with backup (quarantined).
C:\1B7.tmp -> Trojan.Tibs.ak : Cleaned with backup (quarantined).
HKU\S-1-5-21-1292428093-1085031214-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1CA480CD-C0E5-4548-874E-B85B17905B3A} -> Trojan.Zlob.f : Cleaned with backup (quarantined).
C:\xx1232255.exe~ -> Worm.Zhelatin.dq : Cleaned with backup (quarantined).

::Report end

sturgis

Here is the new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 02:41, on 2007-07-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Ares\Ares.exe
D:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: msdn_lib.msdn_hlp - {EC84A858-8398-48D6-8E6B-DB0C4CD7B731} - D:\WINDOWS\system32\msdn_lib.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LClock] D:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'd:\windows\system32\pfz.dll' missing
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.errorsafe.com/files/installers/cab/ErrorSafeNewReleaseInstall.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: MSN Messenger - {280A7B65-8F00-438F-3E5A-1F039433FE60} - D:\WINDOWS\system32\dssdll32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - d:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - d:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

sturgis

Ok Trogan, that is everything.
The AVG anti-spyware steps went well and the only problem I had was with the #2 cleaning process in SmitFraudFix. Everything else was completed.

Trogan

Hi Sturgis,

AVG Anti-Virus removed a ton of infected files, and what looks like a Rootkit, which is not good news.

I would like to go back a bit. Can you delete your current copy of SDFix, and the SDFix located located at C:\SDFix. Then, download a new copy and go back into Safe Mode and try running it again please.

Let me know the outcome and then we can continue cleanup as there could be some other hidden files we'll need to check for.

sturgis

The new copy of SDFix didn't work in safe mode. Is there anything else I am able to do otherwise?

Trogan

OK! Lets run an online scan to see what else maybe there.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)

• Scan Options:

Scan Archives
Scan Mail Bases

[*]Click OK
[*]Now under select a target to scan:

Select

My Computer

[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.

• Now click on the Save as Text button:

[*]Save the file to your desktop.
Post the Kaspersky log, along with a new HijackThis log.

sturgis

Hi Trogan,

I am not going to be able to complete the step you requested above because the whole problem with my computer is that it is slow and the internet does not work. It does not want to connect when I am in safe mode or in normal mode so I cannot complete the step of using the Kaspersky WebScanner because I can't get on the web.

Trogan

Download WinSock XP Fix 1.2 to your Desktop. Close ALL browsers and windows and start the program. Once opened, press the "Fix" button.

Reboot the computer and let me know if that solves the connection problem.

sturgis

Ok Trogan, the WinSock Xp Fix did somewhat work.
First I was able to get it done in normal mode and then after restarting I was able to connect to the internet. The thing that I could not do is that whenever I tried to go to a website, the messabe "Page could not be found" always came up.
Another thing I will note is that normal mode became just a tad bit faster. It's still slow and hard to start any program but after doing the WinSock Xp thing, there was a little change in performance.

Also, the firewall Comodo was more active and when McAfee anti-virus tried to update, the Firewall displayed messages like some program is trying to connect through the mcAfee and is suspicially acting like a trojan.
Then the Services and Controller task unexpectantly terminates and asks if you want to "Report Problem" or "Don't send", and I click "Don't Send", but this time the Administrator does not shut down in 60 seconds like it used to so that problem seems to be fixed.

Trogan

OK, that's good to hear!

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post in your reply

sturgis

OK Trogan I ran the program but it wouldn't finish and kept freezing so I looked for the two reports and was able to find main.txt:

Deckard's System Scanner v20070711.54
Run by Administrator on 2007-07-26 at 12:23:14
Computer is in Safe Mode with Networking.

---

-- System Restore

---

Failed to create restore point; unknown error code 0x00000000

-- Last 1 Restore Point(s) --
1: 2007-07-26 16:19:43 UTC - RP25 - Deckard's System Scanner Restore Point

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Administrator.exe)

---

Logfile of HijackThis v1.99.1
Scan saved at 12:24, on 2007-07-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\dss.exe
D:\DOCUME~1\ADMINI~1\Desktop\Administrator.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: msdn_lib.msdn_hlp - {EC84A858-8398-48D6-8E6B-DB0C4CD7B731} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LClock] D:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [MCUpdateExe] d:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SuperRam] "D:\Program Files\SuperRam\SuperRam.exe" /start
O4 - HKLM\..\Run: [WinPatrol] D:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.errorsafe.com/files/installers/cab/ErrorSafeNewReleaseInstall.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CS4\Services\Tcpip\..\{1C5A9349-EBB3-4935-96E6-7CF9F5E52C09}: NameServer = 206.47.244.53 206.47.244.105
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O21 - SSODL: MSN Messenger - {280A7B65-8F00-438F-3E5A-1F039433FE60} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - d:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - d:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

-- HijackThis Fixed Entries (D:\DOCUME~1\ADMINI~1\Desktop\backups\)

---

backup-20070711-235837-997 O4 - HKLM\..\Run: [startdrv] D:\WINDOWS\Temp\startdrv.exe
-- File Associations

---

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R1 cdrbsdrv - d:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R2 aawservice (Ad-Aware 2007 Service) - "d:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>

-- Scheduled Tasks

---

2006-12-28 20:31:39 284 --a

---

D:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-06-26 and 2007-07-26

---

2007-07-26 00:32:31 0 d

---

D:\Program Files\Free Window Registry Repair
2007-07-26 00:30:48 4608 --a

---

D:\WINDOWS\system32\W95INF32.DLL <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2007-07-26 00:30:48 2272 --a

---

D:\WINDOWS\system32\W95INF16.DLL <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2007-07-26 00:30:47 0 d

---

D:\Program Files\ExeShield
2007-07-26 00:28:50 0 d

---

D:\Program Files\ToniArts
2007-07-26 00:14:54 0 d

---

D:\Program Files\Runtimeware.com
2007-07-26 00:02:48 0 d

---

D:\Program Files\WinPcap
2007-07-26 00:02:43 0 d

---

D:\Program Files\Securepoint
2007-07-25 23:59:43 0 d

---

D:\Program Files\SpywareBlaster
2007-07-25 23:57:59 0 d

---

D:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-07-25 23:57:59 0 d

---

D:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2007-07-25 23:57:56 0 d

---

D:\Program Files\Spyware Terminator
2007-07-25 22:55:13 0 d

---

D:\Program Files\FDRLab
2007-07-25 22:51:19 0 d

---

D:\Program Files\WinMaid
2007-07-25 22:51:10 185344 --a

---

D:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-07-25 22:48:48 0 d

---

D:\Documents and Settings\Administrator\Application Data\WinPatrol
2007-07-25 22:48:28 0 d

---

D:\Program Files\BillP Studios
2007-07-25 22:48:09 411648 --a

---

D:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2007-07-25 22:28:02 0 d

---

D:\Program Files\Advanced Spyware Remover
2007-07-25 21:46:43 1931 --a

---

D:\WINDOWS\system32\pfdnnt_actions.sys
2007-07-25 21:46:42 13312 --a

---

D:\WINDOWS\system32\pfdnnt.exe
2007-07-25 21:21:41 8576 --a

---

D:\WINDOWS\system32\drivers\jkmndjgjehrg.sys <Not Verified; Panda Software International; RKPavProc Driver>
2007-07-25 21:14:38 0 d

---

D:\Program Files\Innovative Solutions
2007-07-24 15:42:18 0 d

---

D:\Program Files\InCode Solutions
2007-07-24 15:40:47 0 d-a

---

D:\Documents and Settings\All Users\Application Data\TEMP
2007-07-24 15:40:32 0 d

---

D:\Documents and Settings\All Users\Application Data\Google
2007-07-24 15:33:01 0 d

---

D:\Documents and Settings\Administrator\Application Data\RegClean
2007-07-24 15:31:21 0 d

---

D:\Program Files\SuperRam
2007-07-22 18:50:59 0 dr-h

---

D:\Documents and Settings\Administrator\Recent
2007-07-20 15:23:52 0 d

---

D:\WINDOWS\ERUNT
2007-07-18 15:20:20 0 d

---

D:\Documents and Settings\Administrator\Application Data\Grisoft
2007-07-16 16:36:14 288417 --a

---

D:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-07-16 16:36:14 167936 --a

---

D:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-07-16 16:36:14 51200 --a

---

D:\WINDOWS\system32\dumphive.exe
2007-07-14 13:35:46 2718 --a

---

D:\WINDOWS\system32\tmp.reg
2007-07-07 11:48:57 208 --a

---

D:\catchlog

-- Find3M Report

---

2007-07-26 00:28:48 0 d--h

---

D:\Program Files\InstallShield Installation Information
2007-07-24 15:40:32 0 d

---

D:\Program Files\Google
2007-07-20 18:39:15 0 d

---

D:\Program Files\Ares
2007-07-16 16:23:41 4 --a

---

D:\WINDOWS\system32\stfv.bin
2007-07-07 11:49:01 0 --a

---

D:\Program Files\f3m0.cf
2007-07-07 11:49:01 158 --a

---

D:\Program Files\ComboFix.txt
2007-06-23 22:39:40 16229881 --a

---

D:\WINDOWS\system32\dfl1z32.dll
2007-06-23 14:45:07 0 d

---

D:\Program Files\Comodo
2007-06-22 18:02:39 0 d

---

D:\Documents and Settings\Administrator\Application Data\Comodo
2007-06-22 01:38:04 12 --a

---

D:\WINDOWS\system32\sl.bin
2007-06-21 16:00:27 169984 --a

---

D:\WINDOWS\system32\spoolsv.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-06-18 16:01:24 0 d

---

D:\Program Files\LClock
2007-06-17 21:59:32 0 d

---

D:\Documents and Settings\Administrator\Application Data\Sun
2007-06-17 10:40:15 0 d

---

D:\Program Files\Lord of the Rings
2007-06-16 14:00:31 0 d

---

D:\Program Files\Lavasoft
2007-06-16 13:59:35 0 d

---

D:\Program Files\Common Files\Wise Installation Wizard
2007-06-16 12:14:50 125952 --a

---

D:\WINDOWS\system32\wscntfy.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-06-13 19:56:24 270336 --a

---

D:\WINDOWS\system32\igfxtray.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface>
2007-06-13 19:56:19 229376 --a

---

D:\WINDOWS\system32\hkcmd.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface>
2007-06-12 23:21:51 502784 --a

---

D:\WINDOWS\system32\winlogon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-06-09 20:00:37 29912 --a

---

D:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-06-08 22:42:39 0 d

---

D:\Program Files\Morpheus
2007-06-04 17:06:43 0 d

---

D:\Documents and Settings\Administrator\Application Data\AVG7
2007-05-30 15:54:58 12800 --a

---

D:\WINDOWS\system32\it_pl.dll <Not Verified; Microsoft; Windows Explorer cdrom optimizer>
2007-05-30 15:54:56 24576 --a

---

D:\WINDOWS\system32\it_reg.exe <Not Verified; Microsoft; MYBHOHelpInstallUtility>
2007-05-27 15:07:05 0 d

---

D:\Program Files\QuickTime
2007-05-26 23:41:15 156672 --a

---

D:\WINDOWS\system32\alg.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-26 19:45:08 158720 --a

---

D:\WINDOWS\soundman.exe <Not Verified; Avance Logic, Inc.; Avance Sound Manager>
2007-05-25 21:43:41 157696 --a

---

D:\WINDOWS\system32\extrac32.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:40:43 137216 --a

---

D:\WINDOWS\system32\defrag.exe <Not Verified; Microsoft Corp. and Executive Software International, Inc.; Windows Disk Defragmenter>
2007-05-25 21:40:14 126464 --a

---

D:\WINDOWS\system32\auditusr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:54 395776 --a

---

D:\WINDOWS\winhlp32.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:50 137728 --a

---

D:\WINDOWS\twunk_32.exe <Not Verified; Twain Working Group; Twain Thunker>
2007-05-25 21:02:43 127488 --a

---

D:\WINDOWS\taskman.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:41 142848 --a

---

D:\WINDOWS\system32\xcopy.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:39 229376 --a

---

D:\WINDOWS\system32\wscript.exe <Not Verified; Microsoft Corporation; Microsoft (r) Windows Script Host>
2007-05-25 21:02:38 144384 --a

---

D:\WINDOWS\system32\wpnpinst.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:38 144384 --a

---

D:\WINDOWS\system32\wpabaln.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:36 117760 --a

---

D:\WINDOWS\system32\winver.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:35 123904 --a

---

D:\WINDOWS\system32\winmsd.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:34 120320 --a

---

D:\WINDOWS\system32\winhlp32.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:33 177664 --a

---

D:\WINDOWS\system32\wextract.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:22 401920 --a

---

D:\WINDOWS\system32\vssvc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:22 145920 --a

---

D:\WINDOWS\system32\vssadmin.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:19 188416 --a

---

D:\WINDOWS\system32\usrshuta.exe <Not Verified; U.S. Robotics Corporation; U.S. Robotics Modem Driver>
2007-05-25 21:02:19 180224 --a

---

D:\WINDOWS\system32\usrprbda.exe <Not Verified; U.S. Robotics Corporation; U.S. Robotics modem>
2007-05-25 21:02:18 196608 --a

---

D:\WINDOWS\system32\usrmlnka.exe <Not Verified; U.S. Robotics Corporation; U.S. Robotics Modem Driver>
2007-05-25 21:02:16 136704 --a

---

D:\WINDOWS\system32\userinit.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:15 130560 --a

---

D:\WINDOWS\system32\ups.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:15 129024 --a

---

D:\WINDOWS\system32\upnpcont.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:14 116224 --a

---

D:\WINDOWS\system32\unlodctr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:13 148480 --a

---

D:\WINDOWS\system32\typeperf.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:12 129024 --a

---

D:\WINDOWS\system32\tsshutdn.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:12 128512 --a

---

D:\WINDOWS\system32\tskill.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:12 126976 --a

---

D:\WINDOWS\system32\tsdiscon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:11 156672 --a

---

D:\WINDOWS\system32\tscupgrd.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:11 126976 --a

---

D:\WINDOWS\system32\tscon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:10 143872 --a

---

D:\WINDOWS\system32\tracert6.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:10 124416 --a

---

D:\WINDOWS\system32\tracert.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:09 371712 --a

---

D:\WINDOWS\system32\tracerpt.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:08 185344 --a

---

D:\WINDOWS\system32\tlntsvr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:08 190464 --a

---

D:\WINDOWS\system32\tlntsess.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:07 173568 --a

---

D:\WINDOWS\system32\tlntadmn.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:07 129024 --a

---

D:\WINDOWS\system32\tftp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:07 187392 --a

---

D:\WINDOWS\system32\telnet.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:06 131584 --a

---

D:\WINDOWS\system32\tcpsvcs.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:06 124416 --a

---

D:\WINDOWS\system32\tcmsetup.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:05 247808 --a

---

D:\WINDOWS\system32\taskmgr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:05 127488 --a

---

D:\WINDOWS\system32\taskman.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:04 115200 --a

---

D:\WINDOWS\system32\systray.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:04 180224 --a

---

D:\WINDOWS\system32\systeminfo.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:03 218112 --a

---

D:\WINDOWS\system32\sysocmgr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:03 148992 --a

---

D:\WINDOWS\system32\syskey.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:02 163328 --a

---

D:\WINDOWS\system32\syncapp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:01 121344 --a

---

D:\WINDOWS\system32\subst.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:02:01 126976 --a

---

D:\WINDOWS\system32\stimon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:47 123904 --a

---

D:\WINDOWS\system32\spnpinst.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:46 124928 --a

---

D:\WINDOWS\system32\spiisupd.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:46 135680 --a

---

D:\WINDOWS\system32\sort.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:44 201728 --a

---

D:\WINDOWS\system32\smlogsvc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:43 120320 --a

---

D:\WINDOWS\system32\smbinst.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:43 138240 --a

---

D:\WINDOWS\system32\skeys.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:42 131584 --a

---

D:\WINDOWS\system32\shutdown.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:42 189952 --a

---

D:\WINDOWS\system32\shrpubw.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:41 154624 --a

---

D:\WINDOWS\system32\shmgrate.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:40 126976 --a

---

D:\WINDOWS\system32\shadow.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:39 121856 --a

---

D:\WINDOWS\system32\sfc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:39 135168 --a

---

D:\WINDOWS\system32\setup.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:38 143360 --a

---

D:\WINDOWS\system32\sethc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:37 130560 --a

---

D:\WINDOWS\system32\secedit.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:35 189440 --a

---

D:\WINDOWS\system32\sdbinst.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:35 233984 --a

---

D:\WINDOWS\system32\schtasks.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:34 207872 --a

---

D:\WINDOWS\system32\scardsvr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:34 143360 --a

---

D:\WINDOWS\system32\sc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:34 125440 --a

---

D:\WINDOWS\system32\savedump.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:33 128000 --a

---

D:\WINDOWS\system32\rwinsta.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:32 126464 --a

---

D:\WINDOWS\system32\runonce.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:32 128512 --a

---

D:\WINDOWS\system32\runas.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:31 189440 --a

---

D:\WINDOWS\system32\rtcshare.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:31 244736 --a

---

D:\WINDOWS\system32\rsvp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:30 175104 --a

---

D:\WINDOWS\system32\rsopprov.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:30 219648 --a

---

D:\WINDOWS\system32\rsnotify.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:30 161280 --a

---

D:\WINDOWS\system32\rsmui.exe <Not Verified; Microsoft Corporation; Microsoft® Windows Whistler® Operating System>
2007-05-25 21:01:29 136704 --a

---

D:\WINDOWS\system32\rsmsink.exe <Not Verified; Microsoft Corporation; Microsoft® Windows Whistler® Operating System>
2007-05-25 21:01:29 161280 --a

---

D:\WINDOWS\system32\rsm.exe <Not Verified; Microsoft Corp; Microsoft(R) Windows (R) 2000 Operating System>
2007-05-25 21:01:28 126976 --a

---

D:\WINDOWS\system32\rsh.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:28 137728 --a

---

D:\WINDOWS\system32\routemon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:27 132096 --a

---

D:\WINDOWS\system32\route.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:27 125952 --a

---

D:\WINDOWS\system32\rexec.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:25 121856 --a

---

D:\WINDOWS\system32\reset.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:25 124928 --a

---

D:\WINDOWS\system32\replace.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:01:25 144896 --a

---

D:\WINDOWS\system32\relog.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:51 116736 --a

---

D:\WINDOWS\system32\regwiz.exe <Not Verified; Microsoft; RegWizExe>
2007-05-25 21:00:51 123904 --a

---

D:\WINDOWS\system32\regsvr32.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:51 145920 --a

---

D:\WINDOWS\system32\regini.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:50 115712 --a

---

D:\WINDOWS\system32\regedt32.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:50 162304 --a

---

D:\WINDOWS\system32\reg.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:49 119296 --a

---

D:\WINDOWS\system32\recover.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:49 179200 --a

---

D:\WINDOWS\system32\rdshost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:48 125952 --a

---

D:\WINDOWS\system32\rdsaddin.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:48 174592 --a

---

D:\WINDOWS\system32\rdpclip.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:47 133632 --a

---

D:\WINDOWS\system32\rcp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:47 168960 --a

---

D:\WINDOWS\system32\rasphone.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:46 123392 --a

---

D:\WINDOWS\system32\rasdial.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:46 123904 --a

---

D:\WINDOWS\system32\rasautou.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:45 134144 --a

---

D:\WINDOWS\system32\qwinsta.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:45 132608 --a

---

D:\WINDOWS\system32\qprocess.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:44 129024 --a

---

D:\WINDOWS\system32\qappsrv.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:44 121344 --a

---

D:\WINDOWS\system32\proxycfg.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:43 162304 --a

---

D:\WINDOWS\system32\proquota.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:43 221696 --a

---

D:\WINDOWS\system32\progman.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:42 121344 --a

---

D:\WINDOWS\system32\print.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:41 161280 --a

---

D:\WINDOWS\system32\powercfg.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:41 145408 --a

---

D:\WINDOWS\system32\ping6.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:40 130048 --a

---

D:\WINDOWS\system32\ping.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:40 128000 --a

---

D:\WINDOWS\system32\perfmon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:39 127488 --a

---

D:\WINDOWS\system32\pentnt.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:39 133632 --a

---

D:\WINDOWS\system32\pathping.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:38 170496 --a

---

D:\WINDOWS\system32\packager.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:38 152576 --a

---

D:\WINDOWS\system32\osuninst.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:37 179712 --a

---

D:\WINDOWS\system32\openfiles.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:26 238592 --a

---

D:\WINDOWS\system32\nwscript.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:25 531968 --a

---

D:\WINDOWS\system32\ntvdm.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:24 143872 --a

---

D:\WINDOWS\system32\ntsd.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:18 188928 --a

---

D:\WINDOWS\system32\nslookup.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:16 148992 --a

---

D:\WINDOWS\system32\netstat.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:15 198144 --a

---

D:\WINDOWS\system32\netsh.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:15 441856 --a

---

D:\WINDOWS\system32\netsetup.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:13 223232 --a

---

D:\WINDOWS\system32\netdde.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:13 237056 --a

---

D:\WINDOWS\system32\net1.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:12 154624 --a

---

D:\WINDOWS\system32\net.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:12 116224 --a

---

D:\WINDOWS\system32\nddeapir.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 21:00:11 132608 --a

---

D:\WINDOWS\system32\nbtstat.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:57 124416 --a

---

D:\WINDOWS\system32\mstinit.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:57 118784 --a

---

D:\WINDOWS\system32\msswchx.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:56 153088 --a

---

D:\WINDOWS\system32\msiregmv.exe <Not Verified; Microsoft Corporation; Windows Installer - Unicode>
2007-05-25 20:59:55 141312 --a

---

D:\WINDOWS\system32\mshta.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:54 133120 --a

---

D:\WINDOWS\system32\msg.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:54 118272 --a

---

D:\WINDOWS\system32\msdtc.exe <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2007-05-25 20:59:52 124928 --a

---

D:\WINDOWS\system32\mrinfo.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:51 229376 --a

---

D:\WINDOWS\system32\mqtgsvc.exe <Not Verified; Microsoft Corporation; Microsoft Message Queue>
2007-05-25 20:59:51 116736 --a

---

D:\WINDOWS\system32\mqsvc.exe <Not Verified; Microsoft Corporation; Microsoft Message Queue>
2007-05-25 20:59:51 132096 --a

---

D:\WINDOWS\system32\mqbkup.exe <Not Verified; Microsoft Corporation; Microsoft Message Queue>
2007-05-25 20:59:50 134144 --a

---

D:\WINDOWS\system32\mpnotify.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:50 120320 --a

---

D:\WINDOWS\system32\mountvol.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:49 147456 --a

---

D:\WINDOWS\system32\mnmsrvc.exe <Not Verified; Microsoft Corporation; Windows® NetMeeting®>
2007-05-25 20:59:48 163840 --a

---

D:\WINDOWS\system32\migpwd.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:45 197632 --a

---

D:\WINDOWS\system32\makecab.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:39 120320 --a

---

D:\WINDOWS\system32\lpr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:38 118272 --a

---

D:\WINDOWS\system32\lpq.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:38 127488 --a

---

D:\WINDOWS\system32\logoff.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:37 171520 --a

---

D:\WINDOWS\system32\logman.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:37 216064 --a

---

D:\WINDOWS\system32\logagent.exe <Not Verified; Microsoft Corporation; Microsoft® Windows Media Services>
2007-05-25 20:59:37 117248 --a

---

D:\WINDOWS\system32\lodctr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:36 187392 --a

---

D:\WINDOWS\system32\locator.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:36 137216 --a

---

D:\WINDOWS\system32\lnkstub.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:35 141824 --a

---

D:\WINDOWS\system32\lights.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:35 121856 --a

---

D:\WINDOWS\system32\label.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:32 135680 --a

---

D:\WINDOWS\system32\ipxroute.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:32 165376 --a

---

D:\WINDOWS\system32\ipv6.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:32 156160 --a

---

D:\WINDOWS\system32\ipsec6.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:31 167936 --a

---

D:\WINDOWS\system32\ipconfig.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:29 262144 --a

---

D:\WINDOWS\system32\imapi.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:28 266240 --a

---

D:\WINDOWS\system32\igfxdiag.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface>
2007-05-25 20:59:28 598016 --a

---

D:\WINDOWS\system32\igfxcfg.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface>
2007-05-25 20:59:27 226816 --a

---

D:\WINDOWS\system32\iexpress.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:24 119808 --a

---

D:\WINDOWS\system32\hostname.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:23 126976 --a

---

D:\WINDOWS\system32\help.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:23 151552 --a

---

D:\WINDOWS\system32\grpconv.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:22 169472 --a

---

D:\WINDOWS\system32\gpupdate.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:22 167424 --a

---

D:\WINDOWS\system32\getmac.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:21 154624 --a

---

D:\WINDOWS\system32\ftp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:20 168448 --a

---

D:\WINDOWS\system32\fsutil.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:20 305152 --a

---

D:\WINDOWS\system32\fsquirt.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:19 119296 --a

---

D:\WINDOWS\system32\forcedos.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:19 133120 --a

---

D:\WINDOWS\system32\fontview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:18 134656 --a

---

D:\WINDOWS\system32\fltMc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:18 115200 --a

---

D:\WINDOWS\system32\fixmapi.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:18 121344 --a

---

D:\WINDOWS\system32\finger.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:17 139264 --a

---

D:\WINDOWS\system32\findstr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:17 121344 --a

---

D:\WINDOWS\system32\find.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:16 126976 --a

---

D:\WINDOWS\system32\fc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:15 128000 --a

---

D:\WINDOWS\system32\expand.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:14 120832 --a

---

D:\WINDOWS\system32\eventvwr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:13 189952 --a

---

D:\WINDOWS\system32\eventtriggers.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:12 162304 --a

---

D:\WINDOWS\system32\eventcreate.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:12 305152 --a

---

D:\WINDOWS\system32\eudcedit.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:11 1413120 --a

---

D:\WINDOWS\system32\dxdiag.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:10 151552 --a

---

D:\WINDOWS\system32\esentutl.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:09 294912 --a

---

D:\WINDOWS\system32\dwwin.exe <Not Verified; Microsoft Corporation; Microsoft Application Error Reporting>
2007-05-25 20:59:08 130048 --a

---

D:\WINDOWS\system32\dvdupgrd.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:08 167424 --a

---

D:\WINDOWS\system32\dvdplay.exe <Not Verified; ; dvdplay Application>
2007-05-25 20:59:07 122880 --a

---

D:\WINDOWS\system32\dumprep.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:07 157696 --a

---

D:\WINDOWS\system32\drwtsn32.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:03 195584 --a

---

D:\WINDOWS\system32\dpvsetup.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:02 130560 --a

---

D:\WINDOWS\system32\dpnsvr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:01 142336 --a

---

D:\WINDOWS\system32\dplaysvr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:59:00 122880 --a

---

D:\WINDOWS\system32\doskey.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:58:59 128000 --a

---

D:\WINDOWS\system32\dmremote.exe <Not Verified; Microsoft Corp.; Logical Disk Manager for Windows NT>
2007-05-25 20:58:59 336896 --a

---

D:\WINDOWS\system32\dmadmin.exe <Not Verified; Microsoft Corp., Veritas Software; Logical Disk Manager for Windows NT>
2007-05-25 20:58:58 116736 --a

---

D:\WINDOWS\system32\dllhst3g.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:42 130048 --a

---

D:\WINDOWS\system32\diskperf.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:41 275968 --a

---

D:\WINDOWS\system32\diskpart.exe <Not Verified; Microsoft Corporation; Microsoft Corporation Diskpart Application>
2007-05-25 20:54:39 197632 --a

---

D:\WINDOWS\system32\diantz.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:38 194560 --a

---

D:\WINDOWS\system32\dfrgfat.exe <Not Verified; Microsoft Corp. and Executive Software International, Inc.; Windows Disk Defragmenter>
2007-05-25 20:54:37 142336 --a

---

D:\WINDOWS\system32\ddeshare.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:36 117248 --a

---

D:\WINDOWS\system32\dcomcnfg.exe <Not Verified; Microsoft Corporation; COM Services>
2007-05-25 20:54:35 127488 --a

---

D:\WINDOWS\system32\ctfmon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:35 212992 --a

---

D:\WINDOWS\system32\cscript.exe <Not Verified; Microsoft Corporation; Microsoft (r) Windows Script Host>
2007-05-25 20:54:34 125952 --a

---

D:\WINDOWS\system32\convert.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:33 139776 --a

---

D:\WINDOWS\system32\conime.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:17 129536 --a

---

D:\WINDOWS\system32\compact.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:16 128000 --a

---

D:\WINDOWS\system32\comp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:15 175616 --a

---

D:\WINDOWS\system32\cmstp.exe <Not Verified; Microsoft Corporation; Microsoft(R) Connection Manager>
2007-05-25 20:54:14 152064 --a

---

D:\WINDOWS\system32\cmmon32.exe <Not Verified; Microsoft Corporation; Microsoft(R) Connection Manager>
2007-05-25 20:54:14 159232 --a

---

D:\WINDOWS\system32\cmdl32.exe <Not Verified; Microsoft Corporation; Microsoft(R) Connection Manager>
2007-05-25 20:54:12 145408 --a

---

D:\WINDOWS\system32\clipsrv.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:11 119808 --a

---

D:\WINDOWS\system32\ckcnv.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:11 117760 --a

---

D:\WINDOWS\system32\cisvc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:10 168448 --a

---

D:\WINDOWS\system32\cipher.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:10 120320 --a

---

D:\WINDOWS\system32\cidaemon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:09 123392 --a

---

D:\WINDOWS\system32\chkntfs.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:09 123904 --a

---

D:\WINDOWS\system32\chkdsk.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:06 130560 --a

---

D:\WINDOWS\system32\cacls.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:05 117248 --a

---

D:\WINDOWS\system32\bootvrfy.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:04 116736 --a

---

D:\WINDOWS\system32\bootok.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:04 248832 --a

---

D:\WINDOWS\system32\bootcfg.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:03 183808 --a

---

D:\WINDOWS\system32\blastcln.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:54:00 123392 --a

---

D:\WINDOWS\system32\attrib.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:53:59 123392 --a

---

D:\WINDOWS\system32\atmadm.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:53:59 137216 --a

---

D:\WINDOWS\system32\at.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:53:59 144896 --a

---

D:\WINDOWS\system32\asr_pfu.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:53:58 144384 --a

---

D:\WINDOWS\system32\asr_ldm.exe <Not Verified; Microsoft Corp.; Logical Disk Manager for Windows NT>
2007-05-25 20:53:58 142336 --a

---

D:\WINDOWS\system32\asr_fmt.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:53:57 131584 --a

---

D:\WINDOWS\system32\arp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:53:55 210432 --a

---

D:\WINDOWS\system32\ahui.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 20:53:55 116224 --a

---

D:\WINDOWS\system32\actmovie.exe <Not Verified; Microsoft Corporation; DirectShow>
2007-05-25 20:51:46 181248 --a

---

D:\WINDOWS\notepad.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 19:55:44 147968 --a

---

D:\WINDOWS\system32\rcimlby.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 19:55:41 459264 --a

---

D:\WINDOWS\system32\tourstart.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 19:55:40 500736 --a

---

D:\WINDOWS\system32\cmd.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 19:55:39 181248 --a

---

D:\WINDOWS\system32\notepad.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 19:55:39 255488 --a

---

D:\WINDOWS\system32\mobsync.exe <Not Verified; Microsoft Corporation; Microsoft Synchronization Manager>
2007-05-25 19:55:38 162304 --a

---

D:\WINDOWS\system32\utilman.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 19:55:38 327680 --a

---

D:\WINDOWS\system32\osk.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 19:55:37 165888 --a

---

D:\WINDOWS\system32\narrator.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 19:55:37 184832 --a

---

D:\WINDOWS\system32\magnify.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 19:33:02 22748 --a

---

D:\WINDOWS\system32\emptyregdb.dat
2007-05-25 18:12:55 122880 --a

---

D:\WINDOWS\hh.exe <Not Verified; Microsoft Corporation; HTML Help>
2007-05-25 18:12:03 323584 --a

---

D:\WINDOWS\alcupd.exe <Not Verified; Avance Logic, Inc.; Update Application for Avance AC'97>
2007-05-25 18:12:03 249856 --a

---

D:\WINDOWS\alcrmv.exe <Not Verified; Avance Logic, Inc.; Avance AC'97 Removing Tool for INTEL, VIA, SIS ALI Chipset>
2007-05-25 17:38:12 12 --a

---

D:\WINDOWS\system32\gtv_sd.bin
2007-05-25 17:19:39 144384 --a

---

D:\WINDOWS\system32\wupdmgr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-25 17:19:39 120320 --a

---

D:\WINDOWS\system32\control.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating Syste

sturgis

There was no extra.txt log but here is the new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:48, on 2007-07-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\McAfee.com\Agent\mcagent.exe
D:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: msdn_lib.msdn_hlp - {EC84A858-8398-48D6-8E6B-DB0C4CD7B731} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LClock] D:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SuperRam] "D:\Program Files\SuperRam\SuperRam.exe" /start
O4 - HKLM\..\Run: [WinPatrol] D:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.errorsafe.com/files/installers/cab/ErrorSafeNewReleaseInstall.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C5A9349-EBB3-4935-96E6-7CF9F5E52C09}: NameServer = 206.47.244.53 206.47.244.105
O17 - HKLM\System\CS3\Services\Tcpip\..\{1C5A9349-EBB3-4935-96E6-7CF9F5E52C09}: NameServer = 206.47.244.53 206.47.244.105
O17 - HKLM\System\CS4\Services\Tcpip\..\{1C5A9349-EBB3-4935-96E6-7CF9F5E52C09}: NameServer = 206.47.244.53 206.47.244.105
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O21 - SSODL: MSN Messenger - {280A7B65-8F00-438F-3E5A-1F039433FE60} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - d:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - d:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

Trogan

Hi Sturgis,

Since a lot of the scans keep crashing we need to check for Rootkits.

Download Gmer to your Desktop and unzip it to your Desktop.
http://www.gmer.net/gmer.zip

Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe.
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click the rootkit tab
To the right of the program you will see a bunch of boxes that have been checked... leave everything checked. Then click the Scan button. Wait for the scan to finish.
Once done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.

Click the >>> tab. This will open up all available tabs for you.
Click the Autostart tab then the scan button. Once its done click the Copy button and paste it into a new notepad document. Save that document to your desktop please.

Post the logs back here please.